Hello. This is the first forum I've been able to access with the aim of getting advice. Most sites relating to malware or virus lead me to a can't connect page, although news sites and searches work fine.
This began yesterday. I was preparing to play a game online when my PC-cillan pops up with the possibility of a trojan. The desktop changed to one of those "You have been infected, Click here now for help!" things. I halted internet traffic and ran Adaware and a virus scan with PC-cillan. Adaware found virtuomonde, coolwebsearch, and a key that disabled my TaskMgr, among other things. PC-cillan found one item but was unable to clean or quarantine it.
I've managed to remove Virtuomonde (with Virtuomonde B Gone), and the coolwebsearch (with cwshredder), and the key pertaining to my TaskMgr. In addition to all that, Opera and Firefox would not startup, and with IE, I had to search long before I could find somewhere where I could successfully download HijackThis and the rest.
I can use Firefox now, I renamed the exe to foxfire, but the problem still persists. In normal mode (ie, not safe mode) I cannot surf at all, in IE or 'foxfire'. I thought this was due to the trendmicro firewall, which i had set to high security, but setting it to medium did not help. Notepad works in safe mode, whereas it would crash otherwise, apparently intended to keep me from editing something.
I tried to install Spybot S&D, which I'd managed to download, and I noticed when the install process tries to download new files it attempts to connect to "127.0.0.1", which I've learned is my own machine. I checked the hosts file but there are not entries besides the local host. The same thing, perhaps, is happening when I try to access sites it does not like.
I unchecked everything in the Startups list under the msconfig app, except for trend micro and nvidia.
Here is my HJT log. I'm suspicious of the 444.471.exe file. Navigating to it with Explorer, I see 444.471 with no extension.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:56:16 AM, on 6/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Safe mode with network support
I downloaded BullGuard and scanned using it. It apparently discovered three trojans and some other stuff; a total of 17 or so. I have the log for that if anyone wishes to see it. It immediately deleted the lesser vermin but couldn't "disinfect" the trojans, so it quarantined them successfully. Then I clicked on the quarantine tab and deleted them.
But I'm having the same problem with browsing. Sites like "bleepingcomputer.com" and other popular help sites do not work, so therefore I cannot download many of the cleaner apps like comboscan. If it doesn't block access completely, it 'pretends' to download the app but the file doesn't appear. Clicking "Open" in firefox's Download manager yields the error "The file as been deleted or moved."
I dont know what I have, so I downloaded Smitfraud, since it was one that did download, and cleaned the registry. All taht seemed to do was switch my clock to military time.
I've had a similar experience, although after using BFU and TrueSword (smitfraud did nothing for me - most people will suggest that you use it and it's worth a shot I guess) I was able to get rid of the obnoxious ad/spyware related popups. However, I cannot get rid of the browser hijack issues that give me a "Page cannot be displayed" whenever I try to go to most web-security related sites. I also have the 444.471 running, and while I don't know if it started running when I got the virus, I do know that it was not running a month ago.
Currently, Security Task Manager lists 444.471 as the most likely file running to be malicious. If I find out anything, I'll re-post.
http://www.bullguard.com/forum/8/441444exe-file_62617.html the next thread has a similar issue with a similar file name.
http://www.bullguard.com/forum/10/Hijack-This-wont-work-major-re_62608.html is my thread on the subject and some earlier exploration of the problem.
http://www.newcougar.org/forums/lounge/125284-so-my-laptop-just-got-blitzed-some-kind-trojan-attack.html (if you can view there, it's not a security site so it should load for you) has the same problem posted 6/1.
http://www.windowsbbs.com/showthread.php?p=399731 same thing here (also another HijackThis log). Looks like a lovely new virus.
This is the text of the 444.471 file. I was able to terminate it via Security Task Manager but it appeared on next reboot. Security Task Manager says it is a monitor program.
Concresent, this is they exact same thing that my wife's laptop is doing! -Notepad won't start, XP says it's terminating it to keep my computer safe. -I can't hit any antivirus sites like AVG or Symantec. -I had about 15-20 apps running called 1060.exe. -If I turn on my wireless nic I start getting pop-ups that say something like "ATTENTION! Your computer is at risk.." -Taskmanager was disabled "By the system administrator" -Gpedit won't start -uTorrent got installed somehow (I never installed it) -It wouldn't let me install SBS&Destroy until I change the installers name -At one point when I would try to ping any IP it would time out, noticed that the ip that each packet it printed in the screen was missing and was replaced with something like ?1 if I remember right. Figured the IP stack was in a hosed state -Ran "netsh winsock reset" and the pings started working again -some files and directories are hidden from explorer, they can only be seen from the cmd shell and even then you can't see them all
This is a bad one! I ran hijackthis and wrote down the paths for 1060.exe and some other strange stuff, booted off a knoppix cd and deleted them. The 1060's are gone and so is utorrent but the popups are still coming and I still can't hit the security sites, oh and notepad is still crashing when I try to run it.
I am having this same problem, I have in my task manager listed as a system file 444.471
Spybot pulled out: smitfraud-c.je and Win32.bho.je
I finally found an online virus scaner that would work with the remains of the one i was trying to delete and it has been scanning for about 18 hours and is only 37% scanned but it says it has found 10 things so far (what they are I have no clue as of yet).
I just had the same thing with my laptop. Once I noticed a popup window that just flashed, I unplugged my ethernet connection and disabled my wireless lan. I was determined to get rid of whatever just loaded into my computer. I had the same 441.471 program running and I killed it. Next thing you know my Task Manager was disabled. My background image changed to this "you have been attacked by spyware screen and if you want to get rid of it, click on this link". I went into my c:/windows directory and saw a whole bunch of files were loaded. I couldn't open them up in notepad because it was being listed in some Data Prevention Services from Windlws that kept it from opening.
I opened my command prompt and opened all the new *.dll's that were loaded at the time I noticed the popup. I edited all these files by wiping them out and saving them empty. The "default" desktop backgroup could be changed in edit mode but as each antivirus warning popped up, the default backgroup would come back up as if it was stored somewhere else.
I didn't risk trying to connect back to the internet. My adaware did find the problem files but could not do anything with it. I did a system restore back to APRIL and since the files messed around with my registry, the restore could not sove the issue. So what I did was back up my pictures and music and I decided to format my drive and reinstall Windows.
This morning, the reinstall finished and I no longer have any issues with that virus.
I have also the same thing and cleaned many times in normal and safe mode and (as it seems) removed Virtumonde and Virtumonde.dll but still i can't make any updates for any security program and cant go into technical forums and cant go into security sites ...... and maybe i cant do an online scanning. my notepad crashes as well and it was hard to save a HJT log .....and i needed wordpad to view it. when I try to do a DNS for some security sites ..... the address 127.0.0.1 is always returned.
is this a new threat that no one knows about?
by the way ... u can go into security sites and forums by using a proxy in the browser but well ... bear with the speed and some of the things that a proxy server might not allow.
I did it guys...I think I solved the problems and now I can connect to security sites and forums and also run anti-spyware programs like spybot without renaming them and my notepad doesn't crash.
I had to use each scanner in both modes .. normal and safe to make sure that nothing is going on. I used in the beginning DrWeb CureIT which removed some .sys files infected with trojan.rootkit.1297 (if im not mistaken by the number). I scanned again in safe mode. Then I scanned with Avast and made boot scan ..... and a scan in normal mode. I then used spybotSD in both modes and used VundoFix and Combofix in safe mode
I had a tiny problem when I restart my windows ... 2 notepad run in the startup trying to open some file ..... later i knew the file name was desktop.ini anyway it's a simple problem can be fixed from msconfig an removing the items from the start up list there.
Currently it is Monday, October 06, 2008 4:39 PM (GMT +2) There are a total of 62.544 posts in 15.603 threads. In the last 3 days there were 20 new threads and 43 reply posts. View Active Threads
Who's Online
This forum has 26660 registered members. Please welcome our newest member, bloat. 64 Guest(s), 1 Registered Member(s) are currently online. Details fake7
|